Currently am I looking for a workable solution for the following situation:
Let's say that an ipa client has been stolen (or compromised). What
can we do to block all access from it, towards IPA (and rest)
For example if we use the command "ipa host-disable" it's noticed
that IPA users are no longer able to login into the system. But if you
log into the system as root. Then you can still run (successfully) the
command kinit, and optain a ticket for it.
Even if you delete the host from the directory, the behavior remains
the same.
Can this anyhow be blocked.
Regards,
Daniel

Advertising

Hi Daniel,

host-disable removes the host kerberos keys and certificates from LDAP
as you correctly observer. This means that all services on the
compromised host stop working. SSSD will also stop working since it uses
the now invalid host keytab to perform user lookup, that's why ssh'ing
to host as IPA user stops working.

However, there is nothing preventing the attacker to try to kinit as
admin directly without sssd on the machine, which can potentialy lead to
DoS attack on the admin user. So if you realize that the host was
compromised it is best to first run hist-disable and then block all
traffic from that host on ports 88 tcp/udp (Kerberos), 464 tcp/udp
(kadmin), 749 tcp/udp (kpasswd IIRC) and LDAP(S) ports (389, 636 tcp).